As integrated circuits (IC's) and printed circuit boards (PCB's) have become smaller, more complex and more powerful, testing such components has become increasingly difficult. Such high density devices create several unique manufacturing challenges: such as the accessibility of test points within the designs and the high cost of test equipment.
In the mid-1980's a group of European companies formed a group called Joint European Test Action Group (JETAG) to address the issues of accessibility of test points within the designs and the high cost of test equipment. The JETAG group proposed incorporating hardware into standard components (controlled by software), thus eliminating the need for sophisticated in-circuit test equipment. In 1988, the concept gained momentum in North America and several companies formed the Joint Test Access Group (JTAG) consortium to formalize the idea. In 1990, the Institute of Electrical and Electronic Engineers (IEEE) refine the concept and created the 1149.1 standard known as IEEE Standard Test Access Port and Boundary Scan Architecture.
The specification JTAG devised uses boundary scan technology, which enables engineers to perform extensive debugging and diagnostics on a system through a number of dedicated test pins. Signals are scanned into and out of registers connected to the I/O pins of a device serially to control its inputs and test the outputs under various conditions. By themselves, the I/O pins provide limited visibility into the workings of the device. However in scannable devices, the registers are connected in a dedicated path around the device's boundary. The path creates a virtual access capability that circumvents the normal inputs and provides direct control of the device and detailed visibility at its outputs. Today, boundary scan technology is the most popular and widely used design for test technique in the industry.
During testing, I/O signals enter and leave the chip through the boundary scan registers. The boundary scan registers can be configured to support external testing for interconnection between chips or internal testing for logic within the chip. To provide boundary scan capability, IC vendors add additional logic to each of their devices, including multiple other register types, a dedicated scan path connecting these other registers, four or five additional pins, and control circuitry. The overhead for this additional logic and generally well worth the price to have efficient testing capabilities.
Boundary scan control signals, collectively referred to as the Test Access Port (TAP), define a serial protocol for scan based devices. The first of these signals, TCK/clock synchronizes the internal state machine operations. The second signal, TMS/mode select is sampled at the rising edge of TCK to determine the next state. The third signal, TDI/data-in is sampled at the rising edge of TCK and is shifted into the device's test or programming logic when the internal state machine is in the correct state. The fourth signal, TDO/data-out represents the data shifted out of the device's test or programming logic and is valid on the falling edge of TCK when the internal state machine is in the correct state. Finally, the TRST/reset (optional) signal, when driven low, resets the internal state machine. In addition to the TAP, a boundary scan chain also contains the following devices: a TAP Controller, an instruction register, at least one scannable test data register, and multiple boundary scan registers.
The TCK, TMS and TRST input pins drive a 16-state TAP controller state machine. The TAP controller manages the exchange of data and instructions. The controller advances to the next state based on the value of the TMS signal at each rising edge of TCK. With the proper wiring, multiple IC's/boards can be tested simultaneously. An external file, known as a Boundary Scan Description Language (BDSL) file, defines the capabilities of any single device's boundary-scan logic.
In normal operation, the instruction register receives an instruction through TDI, decodes it, and selects the appropriate data register depending on the state of the TAP controller. The instruction register is used to set the mode of operation for one or more data registers, and is controlled by the TAP signals, and can be placed between TDI and TDO for loading and unloading serially shifted data. In addition to the instruction register, numerous other registers including a data register, bypass register, device identity register, and multiple user defined registers can be utilized. The particular register of operation is dictated by an instruction from the instruction register.
Boundary scan cells operate in four different functional modes: normal mode, capture mode, scan mode and update mode. Each mode state is governed by a mode signal. In normal mode the boundary scan cell is transparent and the data in value corresponds to the data out value. During normal IC activity, data in and data out pass freely through each boundary scan cell. In capture mode, data in moves through the boundary scan cell and is stored, and thereby applies a clock pulse signal on Clock IR. The data out value depends on the mode. In scan mode, the boundary scan cells are connected in series to form a chain through the scan in and scan out signals. The shift operations are controlled by the Clock IR signal. In update mode, the value stored in that was previously loaded by a scan or capture operation, is latched into a update flip flop with a Clock IR pulse. Once latched the signal is available to pass through the chain and ultimately becomes the data out value.
The TAP controller is a 16 state finite state machine added to the IC die itself and recognizes communication protocol and generates internal control signals used by the remainder of the boundary scan chain. The TAP Controller is driven by TCK, TMS, and optionally TRST only. These signals program the TAP controller, generating clock and control signals for the instruction and test data registers. Only three events can trigger a change of TAP controller state: a TCK rising edge, assertion of a logic 0 onto TRST (if it exists), and system power on. Movement trough the TAP controller is controlled by the value of TMS, a set up time prior to the rising edge of TCK. The 1s and 0s adjacent to each state transition arc show the value that must be present on TMS at the time of the next rising edge of TCK. An assertion of TRST will always send TAP controller to a reset state.
The standard test process or verifying a device or circuit board using boundary-scan technology is as follows: First, the test applies test or diagnostic data in the input pins of the device. Next, the boundary scan cells capture the data in the Boundary Scan Systems monitoring the input pins. Data is then scanned out of the device via the TDO pin, for verification. Data can then be scanned into the device via the TDI pin. Finally the tester can then verify data on the output pins of the device.
Scan tests can find manufacturing defects such as unconnected pins, a missing device, an incorrect or rotated device on a circuit board, and even a failed or dead device. One advantage of scan testing technology is the ability to observe data at the device inputs and control the data at the outputs independently of the application logic. Another benefit of scan testing it that one is able to view and/or access internal data not otherwise available at an I/O pin. Yet another benefit is the ability to reduce the number of overall test points required for device access. With boundary scan, there are no physical test points. This can help lower board fabrication costs and increase package density.
Boundary scan provides a better set of diagnostics than other test techniques. Conventional techniques apply test vectors (patterns) to the inputs of the device and monitor the outputs. If there is a problem with the test, it can be time consuming to isolate the problem. Additional tests have to be run to isolate the failure. With JTAG boundary scan, the boundary scan registers observe device responses by monitoring the input pins of the device. This enables easy isolation of various classes of test failures, such as a pin not making contact with the circuit board. Boundary scan can be used for functional testing and debugging at various levels, from internal IC tests to board-level tests. The technology is even useful for hardware/software integration testing.
Though boundary scan is now the test scan chain design of choice, another kind of scan design is Level Sensitive Scan Design (LSSD), which uses separate system and scan clocks to distinguish between normal and test mode. Latches are used in pairs, each has a normal data input, data output and clock for system operation. For test operation, the two latches form a master/slave pair with one scan input, one scan output and non-overlapping scan clocks A and B which are held low during system operation but cause the scan data to be latched when pulsed high during scan. The advantages of using the LSSD design is that with LSSD, the testing issue is changed to a combination circuit test, instead of a sequential circuit test, and that LSSD testing adds controllability of the scan controller state variables. The disadvantages of LSSD testing are that the LSSD latches require greater area, more time is needed to latch a next state into LSSD registers and to scan test vectors in and out, and clock generation and allocation is more complicated. Other lesser used scan chain designs are Random Access Scan (RAS), and General Scan Design (GSD).
Both the LSSD, JTAG, or equivalent designs provide an interface or “back door” for a hardware or software hacker, i.e., a person unauthorized to access information contained in the scannable device, and more particularly, to gain access to and/or exit from the manufacturer's, or other authorized party's (manufacture's customer), proprietary information embedded in the device. There may be much economic gain to be had through hacking into the internal proprietary information of these scannable devices, as hacking can be used, for example, to enable or unlock features intended to be paid type upgrades. In these systems, encryption is often employed in an attempt to protect proprietary data. However recent advantages in hacking techniques have allowed hackers to overcome many encryption processes through the LSSD, JTAG, or equivalent test interfaces. For example, by analyzing the output patterns of LSSD, JTAG, or equivalent scannable systems, with a computer aided Karnaugh map or through output pattern inspection, a thief can extrapolate the scannable device's internal logic.
Further, in conventional integrated circuit device manufacturing, systems on chips (SOCs) and other devices are designed and produced for relatively specific purposes. In this type of a manufacturing process, inherently there are chips manufactured that are more advanced than others, and generally speaking, the more advanced chips may often include the ability to perform the functions of the lesser advanced chips. In this situation, it is often practical from a manufacturing cost standpoint to simply manufacture only the more advanced chips and use these chips for all applications, as the cost per chip is often negligible between the more advanced chips and the lesser advanced chips. In this situation the more complex chip may be implemented into configurations of lesser complexity with the unused or more advanced portions or modules of the chip disabled. Similarly, when a more complex chip is implemented into a lesser complex application, the manufacturer has the option of enabling the disabled portions of the chip to upgrade the chip as demands necessitate.
However, from a business standpoint, manufacturing a single chip for multiple complex applications and disabling the more advanced portions of complex chips used in configurations of lesser complexity can be problematic, as chip hackers may exploit the use of the more advanced chip in a configuration of less complexity, e.g., the hackers will use unauthorized methods to unlock the disabled modules of the chip. The unauthorized access to and/or exit from the disabled portions of the chip decreases the manufacturer's revenue such that the manufacturing cost savings incurred as a result of manufacturing only the more advanced chips are often eliminated. Further, in some cases, hacking may result in degradation of device reliability and possibly catastrophic failure (e.g., device overheating) if an operating frequency is increased. This may be particularly problematic for a manufacturer if the hacker is not the end user, for example, if the hacker is in the supply chain and passes on a hacked device to an unsuspecting end user who then returns it to the manufacturer or seeks remedy for damages from the manufacturer.
Accordingly, there is a need for methods and systems for preventing unauthorized access to and/or exit from internal device information through test interfaces, after the devices have left the manufacturing facility.